Millions of sensitive records exposed by mobile apps leaking back-end credentials

Developers have hard-coded credentials for back-end services into thousands of mobile apps, researchers found

Thousands of mobile applications, including popular ones, implement cloud-based, back-end services in a way that lets anyone access millions of sensitive records created by users, according to a recent study.

The analysis was performed by researchers from the Technical University and the Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany, and the results were presented Friday at the Black Hat Europe security conference in Amsterdam. It targeted applications that use Backend-as-a-Service (BaaS) frameworks from providers like Facebook-owned Parse, CloudMine or Amazon Web Services.

BaaS frameworks offer cloud-based database storage, push notification, user administration and other services that developers can easily use in their apps. Their goal is to minimize the knowledge needed to maintain the back-end servers of an application.

All developers have to do is sign up with a BaaS provider, integrate its software development kit (SDK) in their applications, then use its services through simple application programming interfaces (APIs).

The researchers looked at how developers use APIs and discovered that many of them include their primary BaaS access keys inside their apps. This a very dangerous practice, because applications, especially mobile ones, can be easily reversed engineered to extract such credentials and access their back-end databases.

In order to see how widespread the problem was, the researchers built a tool that uses both static and dynamic analysis to identify which BaaS provider is used by an application and to extract the BaaS access keys from it, even if they’re obfuscated or computed at runtime.

They ran their tool against more than two million Android and iOS apps and extracted 1,000 back-end credentials and associated database table names. Many of those credentials were reused in multiple apps from the same developer and, in total, they provided access to over 18.5 million records containing 56 million data items.

The researchers did not actually download the records, but they were able to count them and figure out their type by simply looking at the database tables. The records included car accident information, user-specific location data, birthdays, contact information, telephone numbers, pictures, valid email addresses, purchase data, private messages, baby growth data and even whole server backups.

The researchers even found a mobile Trojan that used a BaaS service to store data and SMS messages stolen from infected devices, along with the attackers’ own commands and planned tasks.

The inclusion of BaaS credentials in applications not only exposes data records to theft  by anyone, but also to manipulation or deletion. Attackers could also use the credentials to store data in those databases at the expense of the real account owners who might not even realize that this is happening.

Google, Apple and the BaaS providers have been contacted about the issue since April, and in turn notified some of the developers whose apps were affected. However, as of Nov. 12, access to over 52 million data items was still freely available with the exposed credentials, the researchers said.

Some of this data is in limbo, because the apps that created it don’t even exist anymore as their developers moved on to other things. The service providers can’t simply delete it either, because the accounts are still active.

This suggests that developers either don’t care or don’t know how to fix the problem.

Some BaaS providers, like Amazon and Parse, offer more advanced access control and the ability to authenticate individual app users with the back-end services instead of the whole app. However these can be hard to implement.

In some cases, implementing such identity management is so complicated that it defeats the primary goal of BaaS frameworks, which is to simplify developers’ jobs.

It’s no wonder that developers choose the easy route, which is also the insecure one, the researchers said.

While this is ultimately the developers’ problem, BaaS providers could improve their documentation so that even app creators with no security education can understand how to use the technology and the risks they're exposed to if they don’t do it properly. Providers could even force developers to take action by detecting apps that access their services using root access keys and displaying a warning, the researchers said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags BLACK HAT EUROPE

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?